tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Sundling <s...@tkz.net>
Subject Re: security hole on windows tomcat?
Date Tue, 12 Aug 2003 00:43:17 GMT
I never changed the mime-mapping when I installed it.  I run tomcat 
manually or as a manual service.  When I tried running tomcat as an 
automatic service, it had trouble.  The only changes I made were in 
configs specific to webapps.  The problem is present on the unmodified 
examples webapp.  The only two jars I added in the SDK were the JDBC 
drivers for postrgres and mysql.

Paul Sundling

Cox, Charlie wrote:

>did you change any mime-mappings in conf/web.xml? could you have a "jsp " in
>there somewhere defining it as text?
>
>  
>
>>-----Original Message-----
>>From: Angus Mezick [mailto:amezick@guidestar.org]
>>Sent: Monday, August 11, 2003 12:15 PM
>>To: Tomcat Users List
>>Subject: RE: security hole on windows tomcat?
>>
>>
>>Ok guys,
>>What could I have turned on that would have allowed this bug 
>>to happen?
>>I can make it happen in both tomcat and tomcat through apache.  (Most
>>recent of both)  I can provide a site where it DOES happen so you guys
>>can see what is happening.
>>
>>    
>>
>>>-----Original Message-----
>>>From: Cox, Charlie [mailto:ccox@cincom.com] 
>>>Sent: Monday, August 11, 2003 12:07 PM
>>>To: 'Tomcat Users List'
>>>Subject: RE: security hole on windows tomcat?
>>>
>>>
>>>sorry, I don't know - I don't use Apache. This was just a 
>>>thought that I
>>>had.
>>>
>>>I do not have this problem 4.1.24 on Win2k
>>>
>>>Charlie
>>>
>>>      
>>>
>>>>-----Original Message-----
>>>>From: Angus Mezick [mailto:amezick@guidestar.org]
>>>>Sent: Monday, August 11, 2003 11:49 AM
>>>>To: Tomcat Users List
>>>>Subject: RE: security hole on windows tomcat?
>>>>
>>>>
>>>>Charlie,  
>>>>How do you fix this within apache?
>>>>
>>>>        
>>>>
>>>>>-----Original Message-----
>>>>>From: Cox, Charlie [mailto:ccox@cincom.com] 
>>>>>Sent: Monday, August 11, 2003 10:15 AM
>>>>>To: 'Tomcat Users List'
>>>>>Subject: RE: security hole on windows tomcat?
>>>>>
>>>>>
>>>>>do you have apache on the front end and are you only mapping 
>>>>>*.jsp where
>>>>>*.jsp%20 is not a match and apache would then serve the 
>>>>>          
>>>>>
>>>>file as text?
>>>>        
>>>>
>>>>>Charlie
>>>>>
>>>>>          
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: John Turner [mailto:tomcat-user@johnturner.com]
>>>>>>Sent: Monday, August 11, 2003 9:22 AM
>>>>>>To: Tomcat Users List
>>>>>>Subject: Re: security hole on windows tomcat?
>>>>>>
>>>>>>
>>>>>>
>>>>>>Appending "%20" to my Tomcat 4.1.1x URLs generates a 404.
>>>>>>
>>>>>>John
>>>>>>
>>>>>>Paul Sundling("Webdaddy") wrote:
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>I came across what appears to be a security hole when 
>>>>>>>              
>>>>>>>
>>>>>>running tomcat. 
>>>>>>            
>>>>>>
>>>>>>>I'm not sure how widespread it is, but my linux server is 
>>>>>>>              
>>>>>>>
>>>>>>safe, yet my 
>>>>>>            
>>>>>>
>>>>>>>windows XP, tomcat 4.1.24 is vulnerable.
>>>>>>>
>>>>>>>I found that if you append %20 to a jsp page it shows the 
>>>>>>>              
>>>>>>>
>>>>>>source code 
>>>>>>            
>>>>>>
>>>>>>>instead of displaying the page:
>>>>>>>
>>>>>>>http://192.168.1.54:8080/index.jsp  <shows page as expected>
>>>>>>>http://192.168.1.54:8080/index.jsp%20 <shows source code of

>>>>>>>              
>>>>>>>
>>>>>>index.jsp>
>>>>>>            
>>>>>>
>>>>>>>So how widespread is this?
>>>>>>>
>>>>>>>Paul Sundling
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>              
>>>>>>>
>>---------------------------------------------------------------------
>>    
>>
>>>>>>>To unsubscribe, e-mail: 
>>>>>>>              
>>>>>>>
>>>>tomcat-user-unsubscribe@jakarta.apache.org
>>>>        
>>>>
>>>>>>>For additional commands, e-mail: 
>>>>>>>              
>>>>>>>
>>>>>tomcat-user-help@jakarta.apache.org
>>>>>          
>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>---------------------------------------------------------------------
>>    
>>
>>>>>>To unsubscribe, e-mail: 
>>>>>>            
>>>>>>
>>>tomcat-user-unsubscribe@jakarta.apache.org
>>>      
>>>
>>>>>>For additional commands, e-mail: 
>>>>>>            
>>>>>>
>>>>tomcat-user-help@jakarta.apache.org
>>>>        
>>>>
>>>>>          
>>>>>
>>---------------------------------------------------------------------
>>    
>>
>>>>>To unsubscribe, e-mail: 
>>>>>          
>>>>>
>>tomcat-user-unsubscribe@jakarta.apache.org
>>    
>>
>>>>>For additional commands, e-mail: 
>>>>>          
>>>>>
>>>tomcat-user-help@jakarta.apache.org
>>>      
>>>
>>>>>          
>>>>>
>>>>        
>>>>
>>---------------------------------------------------------------------
>>    
>>
>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: 
>>>>        
>>>>
>>tomcat-user-help@jakarta.apache.org
>>    
>>
>>>      
>>>
>>---------------------------------------------------------------------
>>    
>>
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>  
>



Mime
View raw message